A popular WordPress plugin that enables users to easily create responsive sliders is plagued by a security hole that has been actively exploited by cybercriminals, Sucuri reported on Wednesday.
Slider Revolution is a premium WordPress plugin created by ThemePunch that has been sold over 34,000 times on the snippets and scripts marketplace CodeCanyon. The plugin is also wrapped into several theme packages for WordPress.
A vulnerability was found in version 4.1.4 and older of the plugin, but the flaw was patched by the developer back in February with the release of Slider Revolution 4.2. The company listed a “security fix” in the changelog at the time, but it didn’t provide any details because security firms allegedly advised it not to.
An exploit has been published on hacker forums and is being actively used to compromise websites. On Wednesday alone, Sucuri identified 64 IP addresses attempting to trigger the vulnerability on over 1,000 websites. Data from the security firm shows that the attacks started on August 9 and peaked on August 19 with over 2,500 hits.
According to Sucuri, the zero-day was disclosed via underground forums, so the developer should have actively alerted its customers of the threat, instead of taking the silent patch approach.
The vulnerability can be leveraged to download any file from affected servers, including ones containing sensitive information such as database credentials. With the credentials in hand, an attacker can compromise the targeted website through its database, Sucuri founder and CTO Daniel Cid said in a blog post.
“This type of vulnerability is known as a Local File Inclusion (LFI) attack. The attacker is able to access, review, download a local file on the server. This, in case you’re wondering is a very serious vulnerability that should have been addressed immediately,” Cid explained.
Websites directly using vulnerable versions of Slider Revolution are at risk, but their administrators can easily update their installations via the plugin’s autoupdate feature. The bigger problem is that vulnerable versions of the plugin are bundled with several third-party themes. Users of these themes might not even be aware that Slider Revolution is installed on their website. Furthermore, updates for the themes don’t necessarily contain updates for the included plugins, making the situation confusing for users, Sucuri warns.
ThemePunch has published an alert on CodeCanyon advising users of version 4.1.4 and older to update their installations immediately. They have also provided some advice for the users of themes that include Slider Revolution.
“We are sorry for you guys out there whose slider came bundled with a theme and the theme author did not update the slider. Since you cannot use the included autoupdate function please contact your theme author and inform him about his failure!,” the developers said.